On June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case studies in application security initiatives will be presented and dozens of questions will be answered. In the last few years, there has been a huge surge in web application attacks since that around 70% of all web applications had security flaws...and now 80% of new malware is focused on the application layer.

Applications have become the easier attack target. With that change, the criminals added a new security challenge—not only must corporations and schools and governments ensure secure configuration and effective patch management, now they must also ensure the applications they deploy have no security flaws. The WhatWorks in Application Security Summit 2008 brings together the pioneers who have already faced the application security problem. If you are spending or about to spend a lot of money and want to make sure the investment actually improves security these are real users who can tell you what works and what doesn’t.

Agenda

Is this a developer problem or a security problem? What is the role of each and how do they work together?

What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?

How can we ensure our programmers know the common security flaws and can consistently eliminate them from the code we are deploying? Training? Testing? Hiring? And how can we make sure our outsourced programmers and suppliers also have those skills?

How do you architect security into the development lifecycle? How do you implement a layered approach to application security? What is SDLC and is it enough?

In addition to the Credit Card Industry (PCI) Standard, what other standards demand improved application security and what do they specifically require?

Which application security software tools work best? Do we need a combination of these tools or will one suffice?

Black-box: web application scanners

White box: code reviewers

Application security firewalls

How often do the tools create false positives and what are the best practices for dealing with false positives? And much more…

This could be a great place to learn from other's experiences who have been in the hot seat and have real live experience and insight of what worked for them and what didn't and why.

You can get a 10% discount if you register early.To register go to: https://www.sans.org/registration/register.php?conferenceid=11223 and use the discount, WASC10

Friday, April 11, 2008

RSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.

I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were booths from NSA, US Cert (DOJ), MITRE, ISSA, ISACA, CERT (Carnegie Melon), etc.